When a File is added to a Deny list Policy in Symantec Endpoint Detection and Response (SEDR) appliance, it can be added with either its SHA256, MD5 file hash or both. The difference between these two options is explained below.
File hash SHA256
If Symantec Endpoint Protection (SEP) is configured to use the appliance as the Private Cloud, SEP immediately quarantines Deny listed SHA256 executable files when it detects them on the endpoints. SEDR will return a "Bad" reputation response for the file in question, thus convicting it. The Endpoint's Download Insight Protection Technology acts accordingly:
Note: If the SEP client has cached an Insight response in the IronDB, it will not perform another query until the cache expires.
Starting with SEDR 4.6 and SEP/M 14.3 RU1: SEDR will add the SHA2 hashes on the Deny list to a SEPM Exception policy. This will allow the client to immediately recognize the file as blocked, instead of relying on Insight queries.
File hash MD5
If SEDR is integrated with SEP, the MD5 hash value is added to the File fingerprint files list on Symantec Endpoint Protection Manager (SEPM) that corresponds with the name of the appliance. SEP's System Lockdown Feature will be automatically enabled in Blacklist Mode for all domains, and all groups within those domains, using the File fingerprint files list:
Note: The Blacklist Mode System Lockdown settings should not be changed to Whitelist Mode. While this action will not be prevented in SEPM, important applications on client computers will be blocked unintentionally, since Whitelist Mode will only allow applications on the list to be executed. In the below example the Operating System process svchost.exe is not on the Blacklist. Changing the mode to Whitelist blocks it from running.
If you add a new group to SEPM, the appliance File fingerprint files list is subsequently synchronized with that group as well. The File fingerprint files list does not affect other fingerprint files that you create in SEP.
See also: Interaction between system lockdown and Symantec EDR deny list (blacklist) rules which can be found in the SEP product technical documentation on the support portal.